Exploit And Vulnerability Intelligence
Exploit Intelligence
Leverage best-in-class exploit intelligence from VulnCheck to understand the state of vulnerability exploitation for a given vulnerability.
VulnCheck Exploit & Vulnerability Intelligence replaces the need to have separate scripts for downloading the NIST National Vulnerability Database (NVD), the CISA KEV catalog, etc. By integrating with VulnCheck Exploit & Vulnerability Intelligence, you're integrating with an Open Source Intelligence (OSINT) product that has best-in-class information, in a timely manner, on vulnerability exploitation and vulnerabilities generally.
Most importantly, unlike other purely vulnerability-centric solutions, VulnCheck marries exploit intelligence with vulnerability intelligence. By coupling exploit intelligence with vulnerability intelligence, better insights into vulnerability prioritization & remediation can be gained.
On the exploitation side, VulnCheck Exploit & Vulnerability Intelligence include a wide range of features designed to help understand the state of vulnerability exploitation. Such features include, but are not limited to:
- Monitoring of Git repositories for new exploit PoCs
- Caching of exploit PoCs
- Exploit Maturity classification
- Exploit Type classification
- Evidence of exploitation in-the-wild & exploitation timelines (when did the CVE start being exploited)
Exploit Maturity
| Max Exploit Maturity | Meaning |
|---|---|
| Weaponized | Weaponized typically is an exploit that delivers a substantial payload. For example, Metasploit exploits are considered "weaponized" (as they can deliver meterpreter or other advanced payloads). Exploits used by Ransomware are also considered weaponized. |
| POC | "POC" (proof of concept), is currently anything that can be used to demonstrate exploitation. This can be a blog post, a curl request, a python script, etc. |
Exploit Type Classification
VulnCheck Exploit & Vulnerability Intelligence maintains a Exploit Type field in the block of exploits that are indexed. The Exploit Type field helps distinguish between high impact exploits, like initial access exploits, and lower impact exploits, like denial of service exploits.
Exploit Type Definitions
| Exploit Type | Meaning |
|---|---|
| Initial Access | Initial Access exploits are typically the most high impact exploit published. These vulnerabilities, also sometimes referred to as Remote Code Execution (RCE) vulnerabilities, are remote in nature, and typically do not require credentials to exploit. |
| Remote with credentials | Remote with credentials exploits are exploits that are remote, typically targeting network-bound applications, but require credentials to exploit. |
| Local | Examples of local exploits include those targeting setuid binaries on Linux. |
| Client-side | Examples of client-side exploits include those targeting client applications, such as Microsoft Word or Excel. |
| Infoleak | Infoleak exploits leak data from a target, without compromising the integrity of such a target. |
| Denial of Service | Denial of Service exploits typically cause a service or application to crash. Note: Often a denial-of-service exploit targets an initial-access vulnerability, prior to an initial-access exploit being posted. |
The above table shows the currently available Exploit Types in VulnCheck Exploit & Vulnerability Intelligence.
Example Exploit Record
The VulnCheck API makes it easy to get started with VulnCheck Exploit & Vulnerability Intelligence. To start, simply query the exploits index via the /v3/index/:index?cve=:cve API as follows:
curl --request GET \
--url https://api.vulncheck.com/v3/index/exploits?cve=CVE-2019-3396 \
--header 'Accept: application/json' \
--header 'Authorization: Bearer insert_token_here'
The above example searches the exploits index for information on CVE-2019-3396.
Example API Response for Exploits by CVE
After calling the /v3/index/exploits?cve=:cve API endpoint with a valid CVE identifier, a response similar to the below will be returned:
{
"_benchmark": 0.055187,
"_meta": {
"timestamp": "2023-08-30T13:28:14.769815093Z",
"index": "exploits",
"page": 1,
"limit": 100,
"max_pages": 6,
"total_pages": 1,
"total_documents": 1,
"sort": "_timestamp",
"parameters": [
{
"name": "cve",
"format": "CVE-YYYY-N{4-7}"
},
{
"name": "lastModStartDate",
"format": "YYYY-MM-DD"
},
{
"name": "lastModEndDate",
"format": "YYYY-MM-DD"
},
{
"name": "pubStartDate",
"format": "YYYY-MM-DD"
},
{
"name": "pubEndDate",
"format": "YYYY-MM-DD"
}
],
"order": "desc",
"first_item": 1,
"last_item": 1
},
"data": [
{
"id": "CVE-2019-3396",
"public_exploit_found": true,
"commercial_exploit_found": true,
"weaponized_exploit_found": true,
"max_exploit_maturity": "weaponized",
"reported_exploited": true,
"reported_exploited_by_threat_actors": true,
"reported_exploited_by_ransomware": true,
"reported_exploited_by_botnets": true,
"inKEV": true,
"timeline": {
"nvd_published": "2019-03-25T19:29:00Z",
"nvd_last_modified": "2021-12-13T16:05:00Z",
"first_exploit_published": "2019-03-25T00:00:00Z",
"first_exploit_published_weaponized_or_higher": "2019-04-11T00:00:00Z",
"most_recent_exploit_published": "2021-05-01T02:10:04Z",
"first_reported_threat_actor": "2019-08-19T00:00:00Z",
"most_recent_reported_threat_actor": "2021-01-01T00:00:00Z",
"first_reported_ransomware": "2019-04-23T00:00:00Z",
"most_recent_reported_ransomware": "2022-06-22T00:00:00Z",
"first_reported_botnet": "2019-04-26T00:00:00Z",
"most_recent_reported_botnet": "2022-04-27T00:00:00Z",
"cisa_kev_date_added": "2021-11-03T00:00:00Z",
"cisa_kev_date_due": "2022-05-03T00:00:00Z"
},
"trending": {
"github": false
},
"epss": {
"epss_score": 0.97498,
"epss_percentile": 0.9996,
"last_modified": "2023-08-15T13:49:54.769353Z"
},
"counts": {
"exploits": 22,
"threat_actors": 3,
"botnets": 3,
"ransomware_families": 4
},
"exploits": [
{
"url": "https://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html",
"name": "Atlassian Confluence 6.12.1 Template Injection",
"refsource": "packetstorm",
"date_added": "2021-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html",
"name": "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
"refsource": "packetstorm",
"date_added": "2019-04-18T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://0day.today/exploit/32569",
"name": "Atlassian Confluence Widget Connector Macro Velocity Template Injection Exploit",
"refsource": "0day.today",
"date_added": "2019-04-18T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/confluence_widget_connector.rb",
"name": "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
"refsource": "metasploit",
"date_added": "2019-04-11T00:00:00Z",
"exploit_maturity": "weaponized",
"exploit_availability": "publicly-available"
},
{
"url": "http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html",
"name": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.",
"refsource": "nvd",
"date_added": "2019-03-25T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.exploit-db.com/exploits/46731",
"name": "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",
"refsource": "exploitdb",
"date_added": "2019-04-19T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.d2sec.com/exploits/confluence_file_disclosure.html",
"name": "Confluence File Disclosure",
"refsource": "d2elliot",
"date_added": "1970-01-01T00:00:00Z",
"exploit_maturity": "weaponized",
"exploit_availability": "commercially-available"
},
{
"url": "https://www.coresecurity.com/core-labs/exploits",
"name": "Atlassian Confluence Widget Connector Macro Vulnerability Exploit",
"refsource": "coreimpact",
"date_added": "2019-05-07T00:00:00Z",
"exploit_maturity": "weaponized",
"exploit_availability": "commercially-available"
},
{
"url": "http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html",
"name": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.",
"refsource": "nvd",
"date_added": "2019-03-25T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector",
"name": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.",
"refsource": "nvd",
"date_added": "2019-03-25T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://github.com/Yt1g3r/CVE-2019-3396_EXP",
"name": "Yt1g3r/CVE-2019-3396_EXP exploit repository",
"refsource": "github-exploits",
"date_added": "2019-04-10T02:15:47Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"reference_url": "https://raw.githubusercontent.com/Yt1g3r/CVE-2019-3396_EXP/master/RCE_exp.py",
"clone_ssh_url": "git@github.com:Yt1g3r/CVE-2019-3396_EXP.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/Yt1g3r/CVE-2019-3396_EXP.git"
},
{
"url": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/confluence_macro_lfi",
"name": "confluence_macro_lfi",
"refsource": "canvas",
"date_added": "1970-01-01T00:00:00Z",
"exploit_maturity": "weaponized",
"exploit_availability": "commercially-available"
},
{
"url": "https://www.exploit-db.com/exploits/46731/",
"name": "The Widget Connector macro in Atlassian Confluence Server before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.",
"refsource": "nvd",
"date_added": "2019-03-25T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://www.exploit-db.com/exploits/49465",
"name": "Atlassian Confluence Widget Connector Macro - SSTI",
"refsource": "exploitdb",
"date_added": "2021-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://0day.today/exploit/35720",
"name": "Atlassian Confluence Widget Connector Macro - SSTI Exploit",
"refsource": "0day.today",
"date_added": "2021-01-22T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
},
{
"url": "https://github.com/abdallah-elsharif/cve-2019-3396",
"name": "abdallah-elsharif/cve-2019-3396 exploit repository",
"refsource": "github-exploits",
"date_added": "2021-02-01T16:10:27Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"reference_url": "https://raw.githubusercontent.com/abdallah-elsharif/cve-2019-3396/main/cve-2019-3396.rb",
"clone_ssh_url": "git@github.com:abdallah-elsharif/cve-2019-3396.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/abdallah-elsharif/cve-2019-3396.git"
},
{
"url": "https://github.com/x-f1v3/CVE-2019-3396",
"name": "x-f1v3/CVE-2019-3396 exploit repository",
"refsource": "github-exploits",
"date_added": "2019-04-09T06:20:51Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"reference_url": "https://raw.githubusercontent.com/x-f1v3/CVE-2019-3396/master/README.md",
"clone_ssh_url": "git@github.com:x-f1v3/CVE-2019-3396.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/x-f1v3/CVE-2019-3396.git"
},
{
"url": "https://github.com/PetrusViet/cve-2019-3396",
"name": "PetrusViet/cve-2019-3396 exploit repository",
"refsource": "github-exploits",
"date_added": "2021-05-01T02:10:04Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://raw.githubusercontent.com/PetrusViet/cve-2019-3396/main/README.md",
"clone_ssh_url": "git@github.com:PetrusViet/cve-2019-3396.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/PetrusViet/cve-2019-3396.git"
},
{
"url": "https://github.com/46o60/CVE-2019-3396_Confluence",
"name": "46o60/CVE-2019-3396_Confluence exploit repository",
"refsource": "github-exploits",
"date_added": "2021-02-05T16:31:30Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"reference_url": "https://raw.githubusercontent.com/46o60/CVE-2019-3396_Confluence/master/exploit.py",
"clone_ssh_url": "git@github.com:46o60/CVE-2019-3396_Confluence.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/46o60/CVE-2019-3396_Confluence.git"
},
{
"url": "https://github.com/jas502n/CVE-2019-3396",
"name": "jas502n/CVE-2019-3396 exploit repository",
"refsource": "github-exploits",
"date_added": "2019-04-10T02:22:24Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"reference_url": "https://raw.githubusercontent.com/jas502n/CVE-2019-3396/master/cve-2019-3396.py",
"clone_ssh_url": "git@github.com:jas502n/CVE-2019-3396.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:github.com/jas502n/CVE-2019-3396.git"
},
{
"url": "https://gitee.com/p4sschen/CVE-2019-3396_EXP",
"name": "p4sschen/CVE-2019-3396_EXP exploit repository",
"refsource": "gitee-exploits",
"date_added": "2020-07-27T02:27:07Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available",
"exploit_type": "initial-access",
"reference_url": "https://gitee.com/p4sschen/CVE-2019-3396_EXP/raw/master/RCE_exp.py",
"clone_ssh_url": "git@gitee.com:p4sschen/CVE-2019-3396_EXP.git",
"clone_ssh_url_cached": "git@git.vulncheck.com:gitee.com/p4sschen/CVE-2019-3396_EXP.git"
},
{
"url": "https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2019/CVE-2019-3396.yaml",
"name": "Atlassian Confluence Server - Path Traversal",
"refsource": "nuclei-templates",
"date_added": "2020-07-07T00:00:00Z",
"exploit_maturity": "poc",
"exploit_availability": "publicly-available"
}
],
"reported_exploitation": [
{
"url": "https://cisa.gov/news-events/cybersecurity-advisories/aa21-209a",
"name": "Top Routinely Exploited Vulnerabilities",
"refsource": "cisa-alerts",
"date_added": "2021-08-20T00:00:00Z"
},
{
"url": "https://us-cert.cisa.gov/ncas/alerts/aa20-275a",
"name": "Potential for China Cyber Response to Heightened U.S.–China Tensions",
"refsource": "cisa-alerts",
"date_added": "2020-10-20T00:00:00Z"
},
{
"url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
"name": "Remote code execution via Widget Connector macro Vulnerability",
"refsource": "cisa-kev",
"date_added": "2021-11-03T00:00:00Z"
},
{
"url": "https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF",
"name": "Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities",
"refsource": "NSA",
"date_added": "2020-10-20T00:00:00Z"
},
{
"url": "https://www.cisa.gov/uscert/ncas/alerts/aa21-209a",
"name": "Top Routinely Exploited Vulnerabilities",
"refsource": "cisa-alerts",
"date_added": "2021-08-20T00:00:00Z"
},
{
"url": "https://cisa.gov/news-events/cybersecurity-advisories/aa20-275a",
"name": "Potential for China Cyber Response to Heightened U.S.–China Tensions",
"refsource": "cisa-alerts",
"date_added": "2020-10-20T00:00:00Z"
},
{
"url": "https://us-cert.cisa.gov/ncas/alerts/AA20-275A",
"name": "Potential for China Cyber Response to Heightened U.S.–China Tensions",
"refsource": "cisa-alerts",
"date_added": "2020-10-20T00:00:00Z"
},
{
"url": "https://us-cert.cisa.gov/ncas/alerts/aa21-209a",
"name": "Top Routinely Exploited Vulnerabilities",
"refsource": "cisa-alerts",
"date_added": "2021-08-20T00:00:00Z"
},
{
"url": "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf",
"name": "Volatile Cedar",
"refsource": "vulncheck-threat-actors",
"date_added": "2021-01-01T00:00:00Z"
},
{
"url": "https://www.mandiant.com/resources/game-over-detecting-and-stopping-an-apt41-operation",
"name": "Wicked Panda",
"refsource": "vulncheck-threat-actors",
"date_added": "2019-08-19T00:00:00Z"
},
{
"url": "https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits",
"name": "Wicked Panda",
"refsource": "vulncheck-threat-actors",
"date_added": "2020-03-25T00:00:00Z"
},
{
"url": "https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF",
"name": "China Attribution",
"refsource": "vulncheck-threat-actors",
"date_added": "2020-10-20T00:00:00Z"
},
{
"url": "https://risksense.com/wp-content/uploads/2019/09/RiskSense-Spotlight-Report-Ransomware.pdf",
"name": "LockerGoga",
"refsource": "vulncheck-ransomware",
"date_added": "2019-09-01T00:00:00Z"
},
{
"url": "https://risksense.com/wp-content/uploads/2019/09/RiskSense-Spotlight-Report-Ransomware.pdf",
"name": "MegaCortex",
"refsource": "vulncheck-ransomware",
"date_added": "2019-09-01T00:00:00Z"
},
{
"url": "https://www.alertlogic.com/blog/active-exploitation-of-confluence-vulnerability-cve-2019-3396-dropping-gandcrab-ransomware/",
"name": "Gandcrab",
"refsource": "vulncheck-ransomware",
"date_added": "2019-04-23T00:00:00Z"
},
{
"url": "https://www.tenable.com/blog/cve-2019-3396-vulnerability-in-atlassian-confluence-widget-connector-exploited-in-the-wild",
"name": "Gandcrab",
"refsource": "vulncheck-ransomware",
"date_added": "2019-04-30T00:00:00Z"
},
{
"url": "https://www.trendmicro.com/en_us/research/19/e/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit.html",
"name": "Gandcrab",
"refsource": "vulncheck-ransomware",
"date_added": "2019-05-07T00:00:00Z"
},
{
"url": "https://risksense.com/wp-content/uploads/2019/09/RiskSense-Spotlight-Report-Ransomware.pdf",
"name": "Gandcrab",
"refsource": "vulncheck-ransomware",
"date_added": "2019-09-01T00:00:00Z"
},
{
"url": "https://static.tenable.com/marketing/whitepapers/Whitepaper-Ransomware_Ecosystem.pdf",
"name": "Unattributed",
"refsource": "vulncheck-ransomware",
"date_added": "2022-06-22T00:00:00Z"
},
{
"url": "https://www.bleepingcomputer.com/news/security/vulnerable-confluence-servers-get-infected-with-ransomware-trojans/",
"name": "Dofloo",
"refsource": "vulncheck-botnets",
"date_added": "2019-04-26T00:00:00Z"
},
{
"url": "https://digital.nhs.uk/cyber-alerts/2019/cc-3043",
"name": "Dofloo",
"refsource": "vulncheck-botnets",
"date_added": "2019-05-01T00:00:00Z"
},
{
"url": "https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence",
"name": "Sysrv",
"refsource": "vulncheck-botnets",
"date_added": "2021-04-08T00:00:00Z"
},
{
"url": "https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/",
"name": "Sysrv",
"refsource": "vulncheck-botnets",
"date_added": "2021-04-22T00:00:00Z"
},
{
"url": "https://www.bleepingcomputer.com/news/security/new-cryptomining-malware-builds-an-army-of-windows-linux-bots/",
"name": "Sysrv",
"refsource": "vulncheck-botnets",
"date_added": "2021-04-24T00:00:00Z"
},
{
"url": "https://cujo.com/the-sysrv-botnet-and-how-it-evolved/",
"name": "Sysrv",
"refsource": "vulncheck-botnets",
"date_added": "2021-09-22T00:00:00Z"
},
{
"url": "https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-24-PalotayZsigovits.pdf",
"name": "Sysrv",
"refsource": "vulncheck-botnets",
"date_added": "2022-04-27T00:00:00Z"
},
{
"url": "https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743",
"name": "Kinsing",
"refsource": "vulncheck-botnets",
"date_added": "2020-01-16T00:00:00Z"
}
]
}
]
}
The above example response shows what the
exploitsindex returns forCVE-2019-3396.
Introduction
The VulnCheck Exploit & Vulnerability Intelligence product helps organizations enrich their existing vulnerability reporting and solve the vulnerability prioritization challenge.
Threat Actor Naming
Tracking threat actors across the cybersecurity industry can be a challenge, given vendors inconsistent naming strategies.
